CVE-2025-7684 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Last.fm Recent Album Artwork plugin for WordPress, developed by remysharp. This vulnerability exists in all versions up to and including 1.0.2 due to missing or incorrect nonce validation on the 'lastfm_albums_artwork.php' page. Nonce validation is a security mechanism used to ensure that requests made to a web application are intentional and originate from legitimate users. The absence or improper implementation of this validation allows an attacker to craft a malicious request that, when executed by an authenticated site administrator (via social engineering such as clicking a link), can update plugin settings or inject malicious scripts. This can lead to unauthorized changes in the website’s behavior or content, potentially enabling further attacks such as persistent cross-site scripting (XSS). The vulnerability does not require the attacker to be authenticated but does require user interaction from an administrator, making exploitation dependent on tricking a privileged user. The CVSS 3.1 base score is 6.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, and impacts on confidentiality and integrity with no impact on availability. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that remediation may still be pending or in progress.

For European organizations using WordPress websites with the Last.fm Recent Album Artwork plugin installed, this vulnerability poses a risk of unauthorized configuration changes and potential injection of malicious scripts. This can compromise the confidentiality and integrity of website content and user data, potentially leading to defacement, data leakage, or the distribution of malware to site visitors. Given that WordPress is widely used across Europe for corporate, governmental, and cultural websites, exploitation could undermine trust and damage reputations. The requirement for administrator interaction means that targeted phishing or social engineering campaigns could be used to exploit this vulnerability. Organizations with high-profile or publicly accessible WordPress sites are at greater risk, especially if they rely on this plugin for media content display. While availability is not directly impacted, the indirect effects of injected malicious scripts could lead to broader security incidents or regulatory non-compliance under GDPR if personal data is exposed.

European organizations should immediately audit their WordPress installations to identify the presence of the Last.fm Recent Album Artwork plugin. Until a vendor patch is available, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. If the plugin is essential, organizations should implement additional protective measures such as: enforcing strict Content Security Policies (CSP) to limit script execution, employing Web Application Firewalls (WAF) with rules to detect and block CSRF attempts, and educating administrators about phishing and social engineering risks to reduce the likelihood of inadvertent interaction with malicious links. Additionally, monitoring administrative actions and website content for unauthorized changes can provide early detection of exploitation attempts. Once a patch is released, prompt application is critical. Organizations should also ensure that WordPress core and all plugins are regularly updated and follow best practices for user privilege management to minimize exposure.